Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21708: UAF due to php_filter_float() failing for ints

In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.

CVE
#sql#web#git#php#rce#nginx#postgres

Sec Bug #81708

UAF due to php_filter_float() failing for ints

Submitted:

2022-01-30 09:00 UTC

Modified:

2022-02-14 06:07 UTC

From:

dukk at softdev dot online

Assigned:

stas (profile)

Status:

Closed

Package:

Filter related

PHP Version:

8.0.15

OS:

centos 8

Private report:

No

CVE-ID:

2021-21708

[2022-01-30 09:00 UTC] dukk at softdev dot online

Description:

NGINX + php-fpm (versions tested 7.4.27, 8.0.15):

  1. place files from URL in webserver directory
  2. Requires PostgreSQL valid (nonce) connection string (edit B.php)
  3. make request (curl “http://127.0.0.1/A.php”)
  4. obtain HTTP 502 in client and php-fpm process on server

in A.php change xml attribute val to “+11.” - all if fine. no crash.

this PoC is extracted (stripped-down) from large code-base.

Test script:

https://github.com/MrdUkk/php-sigsegv

Expected result:

expected result is seening PHP Fatal error: Uncaught Error: Class “APIException” not found in A.php:27

Actual result:

HTTP 502 and php-fpm server process crashed

Program received signal SIGSEGV, Segmentation fault. 0x000055ba505e7295 in _emalloc () (gdb) bt #0 0x000055ba505e7295 in _emalloc () #1 0x000055ba505e810f in _ecalloc () #2 0x000055ba504a4977 in timelib_get_time_zone_info () #3 0x000055ba504a6a7f in timelib_unixtime2local () #4 0x000055ba50480c41 in php_format_date () #5 0x000055ba504572bc in php_log_err_with_severity () #6 0x000055ba5045771a in php_error_cb () #7 0x000055ba5045c3aa in zend_error_va_list () #8 0x000055ba5045c991 in zend_error () #9 0x000055ba5045833b in php_verror () #10 0x000055ba5045845c in php_error_docref () #11 0x00007f641246afd4 in pdo_raise_impl_error.cold () from target:/usr/lib64/php/modules/pdo.so #12 0x00007f6412471e72 in zim_PDOStatement_bindValue () from target:/usr/lib64/php/modules/pdo.so #13 0x000055ba50695a50 in execute_ex () #14 0x000055ba50696861 in zend_execute () #15 0x000055ba5060d2db in zend_execute_scripts () #16 0x000055ba505aa488 in php_execute_script () #17 0x000055ba50476af9 in main () (gdb)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2022-01-31 14:47 UTC] [email protected]

-Summary: PHP-FPM sigsegv +Summary: UAF due to php_filter_float() failing for ints -Status: Open +Status: Verified -Package: FPM related +Package: Filter related -Assigned To: +Assigned To: stas

[2022-02-14 06:00 UTC] [email protected]

-Status: Verified +Status: Closed

[2022-02-14 06:07 UTC] [email protected]

-CVE-ID: +CVE-ID: 2021-21708

Related news

CVE-2023-21850: Oracle Critical Patch Update Advisory - January 2023

Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

Red Hat Security Advisory 2022-8197-01

Red Hat Security Advisory 2022-8197-01 - PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server. Issues addressed include a use-after-free vulnerability.

RHSA-2022:8197: Red Hat Security Advisory: php security, bug fix, and enhancement update

An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE

RHSA-2022:7628: Red Hat Security Advisory: php:7.4 security, bug fix, and enhancement update

An update for the php:7.4 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21707: php: Special character breaks path in xml parsing * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2021-32610: php-pear: Directory traversal vulnerability

RHSA-2022:7624: Red Hat Security Advisory: php:8.0 security, bug fix, and enhancement update

An update for the php:8.0 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-21708: php: Use after free due to php_filter_float() failing for ints * CVE-2022-31625: php: Uninitialized array in pg_query_params() leading to RCE

CVE-2022-21587: Oracle Critical Patch Update Advisory - October 2022

Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Gentoo Linux Security Advisory 202209-20

Gentoo Linux Security Advisory 202209-20 - Multiple vulnerabilities have been discovered in PHP, the worst of which could result in local root privilege escalation. Versions less than 7.4.30:7.4 are affected.

CVE-2016-4343: PHP: PHP 7 ChangeLog

The phar_make_dirstream function in ext/phar/dirstream.c in PHP before 5.6.18 and 7.x before 7.0.3 mishandles zero-size ././@LongLink files, which allows remote attackers to cause a denial of service (uninitialized pointer dereference) or possibly have unspecified other impact via a crafted TAR archive.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907